The invention concerns a method and apparatus for access-supervision and protection against unauthorized access in communication networks in which information in the form of a message can be transmitted over the network and a particular portion of the information contained in the message is employed for supervising the right of access to the receiver of the message.
Communication networks of this type also called "local area networks" (LAN) connect closely positioned, more or less intelligent electronic systems, so that communication of these systems with one another is made possible. For this purpose, information bits in serial format in the form of messages are transmitted over conductors of the network whereby information bits are sent out from one information source through conductors of the network to one or more information receivers, and by this means particular actions, also called "services", are triggered on the basis of the received information.
Depending upon the variables of the application purposed for the LAN, for example, the connection of computing systems and their peripheral devices (electronic data processing EDP) or the implemenation of process automation (control techniques), characteristic differences exist in regard to the network participants, the transmitted information as well as the protection against willful or unintentional misuse.
In the networks of the EDP's the network participants are computers, terminals, peripheral devices and so forth. The quantity of information transmitted over the network for each transmitted information packet is large, however seldom time critical. Protective measures provided should anticipate the willful misuse of the transmitted information and should prevent the impermissible utilization of services and functions by unauthorized participants. On account of active and foreseeable attempts of misuse a "basis of mistrust" must be the foundation for a suitable (strong) protective system. The required protective measures are therefore comprehensive and expensive. In LAN's for EDP adequate resources are usually available in the network participants in order to achieve these additional objectives reasonably and also timely.
In other networks, which serve the above-referenced control technique, the network participants are sensors, actuators and control systems. The information transmitted over the network consists mostly of short messages with limited diversity of information which is, however, potentially time-critical. Protective measures are seldom implemented. They serve above all as protection against unintentional erroneous processing and to a lesser extent protection against willful misuse of the transmitted information or the available services and functions. Protection against such misuse therefore can be rather weak, founded on a "basis for trust", and can be easily installed. Known protective mechanisms, in the simplest embodiment, examine the authority of a particular bus-participant of addressing another particular bus-participant (access control), as well as the authority of the addressing participant to trigger a particular action at the receiver. The individual network participants, however, often do not have sufficient resources to guarantee total protection comprehensively and timely.
As a result of increased coupling of networks for control technology with the above-referenced EDP-oriented networks by means of any type of bus-coupling, or due to more universal service units and complex networks, there is an increased risk of unintentional or unforeseeable command executions with directly traceable damages. On account of this, there is also a growing demand for protective measures with networks for control technology.
In one known method ("Profibus", DIN 19245) a portion of the information contained in the transmitted message and additional information stored with (at) the bus-participant are employed for the purpose of verifying or supervising the right-of-access. Here the sender, the addressee, as well as the action to be accomplished are extracted from the message. The information stored at each bus-participant for the purpose of protecting against unauthorized access is a table in which the right of access is defined with respect to each possible participant or each possible required action. With the aid of data contained in the table such as passwords, access groups, rights of access and indexes, access authorization of a bus-participant for the execution of a desired action can be determined upon arrival or receipt of a message. The result of an examination of this table is either the authorization of access or the denial of access whereby the execution of the desired action or the retraction of the command for action is triggered respectively.
With this known method, it is considered to be disadvantageous that the information necessary for supervision but not contained in the message must be stored with each addressee which requires memory space and calculating time for the operation. Furthermore with regard to information consistency, the content and place or division of the information for the access authorization in the various tables and their partial duplication can lead to difficulties. Besides, with simple bus-participants having very little memory capacity available, even a simple password protection or supervision for the right of access can scarcely be realized with the above mention method.
In addition to the aforementioned method ("Profibus") there exists on the other hand for the exclusive security of correct data transmission a plurality of methods to make transmission errors recognizable with the aid of redundancy additionally built into the message. Recognized errors can thereby be employed solely for error indication in the simplest case, but also for error correction. While in the simplest case each receiver accomplishes the error supervision itself, a so-called instrumentation bus ("I-Bus") has been proposed also (ELECTRONIK, Vol. 38, No. 17, 18 August, 1989, Munich, pp. 93-96; K. Schwaiger et al.: Die Vielfalt der Daten bundeln).
With the "I-Bus" an additional increase in the data transmission reliability is intended with data transmission between components within a motor vehicle. To this end, also other bus-participants examine messages, which are not addressed to them, with the aid of parity bits and check-sum bytes for correct transmission; a message recognized as being erroneous is generally declared to be invalid by means of an interrupt signal. With an I-bus however the problem of monitoring the right of access is neither addressed nor solved.